[keycloak-user] Keycloak security proxy: Access token in cookie support

Jonathan Lin jonathan at beliantech.com
Mon Sep 18 06:29:49 EDT 2017


Hi all, 

I have two clients, one for the API server (bearer-only), and another for front end (public), both in the same realm.

I have set up the Security Proxy that comes with Keycloak (http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html <http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html>) with the following config. I am using Golang, hence am unable to use an official adapter.

{
    "target-url": "http://localhost:9090",
    "send-access-token": false,
    "bind-address": "localhost",
    "http-port": "8080",
    "applications": [
        {
            "base-path": "/",
            "adapter-config": {
                "realm": "demo-realm",
                "resource": "api-server",
                "auth-server-url": "http://auth.server/auth",
                "ssl-required": "external",
                "enable-cors": true,
                "cors-allowed-methods": "GET,POST",
                "cors-allowed-headers": "Authorization",
                "disable-trust-manager": true,
                "bearer-only": true,
                "token-store": "cookie"
            },
            "constraints": [
                {
                    "pattern": "/*",
                    "authenticate": true
                },
                {
                    "pattern": "/bar",
                    "permit": true
                }
            ]
        }
    ]
}

This works fine with the Authorization: Bearer header, where the token was obtained by the front end public client. But I need authentication when using <img> or <object> src URL attributes as well. Hence I need to be able to send the access token via cookie. Putting “token-store”: “cookie” doesn’t seem to do anything for me. 

Any pointers?

Thanks,
Jonathan 


More information about the keycloak-user mailing list